b3ff713108a89d70c2202fb9d3f43c31e1821930a5fd1f07b36887ff5aa18dca

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046919029770f1e6f8df03e428865948_JaffaCakes118.exe
Size

25.5MB
MD5

046919029770f1e6f8df03e428865948
SHA1

5038379ea2462fb7b9d2ac1712cf2b17d9b266b5
SHA256

b3ff713108a89d70c2202fb9d3f43c31e1821930a5fd1f07b36887ff5aa18dca
SHA512

d12e7987017196cdd88b654a1c59acd3c51c72356d147a33393711f6e7366c0fce685bd558272ac8d93b2cbe9bd483a308127fa3ac90cc0eeb10f66cadb6d749
SSDEEP

49152:XYgph7GBfWihDkYOMwwnMb4PmyVtHDkYOMwwnMb4PmyVGs:XX77GBfWLYOXwnS4rVtYYOXwnS4rVGs

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe	Nirsoft

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ati display driver = "ÔN@"	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\cttunesvr.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\doskey.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpresult.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\hh.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\calc.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDADM.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\colorcpl.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\runonce.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sethc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\write.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\com\MigRegDB.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\print.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\proquota.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tree.com-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\mighost.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\where.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\comp.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\prevhost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tzutil.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\rasdial.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sfc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OptionalFeatures.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mtstocom.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\systeminfo.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wimserv.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\grpconv.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pcaui.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesPerformance.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\unregmp2.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AdapterTroubleshooter.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msdt.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ocsetup.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\userinit.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vssadmin.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\gpscript.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DisplaySwitch.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\waitfor.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\AtBroker.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\srdelayed.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SystemPropertiesHardware.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fltMC.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\taskkill.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wecutil.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dialer.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tasklist.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TCPSVCS.EXE-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RmClient.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\odbcconf.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RMActivate_ssp.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\sidebar.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\pack200.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\default-browser-agent.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javaws.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\vlc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\policytool.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\javacpl.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\private_browsing.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\bin\orbd.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-at_31bf3856ad364e35_6.1.7600.16385_none_4cd7fa8ce5381b26\at.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-netsh_31bf3856ad364e35_6.1.7600.16385_none_5f774c61592c67c3\netsh.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.22091_none_d2b1c721321aadf8\conhost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\DismHost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-grpconv_31bf3856ad364e35_6.1.7600.16385_none_fe7d1685575edfa6\grpconv.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-securestartup-notify_31bf3856ad364e35_6.1.7600.16385_none_78e75d04c1b0c873\fvenotify.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\msouc.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-addinutil_31bf3856ad364e35_6.1.7601.17514_none_29443e96f9fb6564\AddInUtil.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_cc3a6a9c514031a2\fsutil.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_9d700972113e2691\wowreg32.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-appid_31bf3856ad364e35_6.1.7601.17514_none_b57215bac8c6d647\appidpolicyconverter.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-com-complus-ui_31bf3856ad364e35_6.1.7600.16385_none_0c9cb55c61e99805\dcomcnfg.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\instnm.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..ageengine-utilities_31bf3856ad364e35_6.1.7600.16385_none_3580dea4def227d4\esentutl.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-devices-mcx2prov_31bf3856ad364e35_6.1.7600.16385_none_3482237b32c1daff\Mcx2Prov.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventlog-commandline_31bf3856ad364e35_6.1.7600.16385_none_1cc9274696810e2f\wevtutil.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-optionaltsps_31bf3856ad364e35_6.1.7600.16385_none_3df12febe293ce5d\tcmsetup.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snmp-evntwin_31bf3856ad364e35_6.1.7600.16385_none_12c5b5b81f2d2f1d\evntwin.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-winrsplugins_31bf3856ad364e35_6.1.7600.16385_none_160ccc8a92fae520\winrshost.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\ehome\CreateDisc\SBEServer.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..ative-serverbox-isv_31bf3856ad364e35_6.1.7601.17514_none_533cd4f8150e6a86\RMActivate_ssp_isv.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\SpeechUXTutorial.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\rwinsta.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Journal.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ftp_31bf3856ad364e35_6.1.7601.17514_none_aef2c7dbb6cc16c1\ftp.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-controlpanel_31bf3856ad364e35_6.1.7601.17514_none_3d9977977190cdc4\tabcal.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.22091_none_d0d0722c3bb0dc09\instnm.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\NETFXRepair.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-legacyhwui_31bf3856ad364e35_6.1.7600.16385_none_3e69140a61f1eff5\hdwwiz.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-autoplay_31bf3856ad364e35_6.1.7601.17514_none_7920b60d569a4a1e\wmlaunch.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_netfx-csharp_compiler_csc_b03f5f7f11d50a3a_6.1.7600.16385_none_d2fff1dae966863c\csc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-jsc_b03f5f7f11d50a3a_6.1.7600.16385_none_14e6e9dab736481d\jsc.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-wtvconverter_31bf3856ad364e35_6.1.7600.16385_none_a8464accb5a91f59\WTVConverter.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-international-core_31bf3856ad364e35_6.1.7600.16385_none_459f562ff37206dd\MuiUnattend.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-rasclienttools_31bf3856ad364e35_6.1.7600.16385_none_cb3bc16fc2624947\rasdial.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..inboxgames-shanghai_31bf3856ad364e35_6.1.7600.16385_none_1c98ed5d08db04ce\Mahjong.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-clr_ilasm_exe_b03f5f7f11d50a3a_6.1.7601.17514_none_8fbf4b0735f59a32\ilasm.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-openfiles_31bf3856ad364e35_6.1.7600.16385_none_431b58a8041530aa\openfiles.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_netfx-dw_b03f5f7f11d50a3a_6.1.7600.16385_none_5a768666c3091014\dw20.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultSysUi.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-icm-ui_31bf3856ad364e35_6.1.7600.16385_none_a0a25363eee12f40\colorcpl.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpconfig.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_wcf-wsatconfig_b03f5f7f11d50a3a_6.1.7601.17514_none_d7ce65f32404434b\WsatConfig.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_6.1.7601.17514_none_b656fd566c17dc3a\mstsc.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe_	046919029770f1e6f8df03e428865948_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\conhost.exe-	046919029770f1e6f8df03e428865948_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000dc10d5dd65dd19165292aeb32c3164923a7174a887c43f66519ca1be278372a7000000000e80000000020000200000001f260cea886692d2b0ae719407edee75d69f3525575bbde4e4004f459079ff69900000008078a3335e137f16bc6a1ce60ead5da52e2537cebf90f3ddaf3dc1d14910662a2ed548091b29e966f97c35a8491d56b4e75964e81c0fad06b0a43cbe3f14b3f98d8f64d173b48122e4fe256c1b84a374450f13fc3eaba4a92a9c94d30c84bc2e68ba5e07d1c3b246b02d7efe84c9c15371b115c9698ce4fc04866c69ae85eba4bf4c9d073ab49960d764453d7bc5999940000000bd1d4840ca78ee2f54b90f26ead7e62e4839c578042cedbee66e37d31802757d7d4527b8059ba68796df27ba115d2c496af73a0350e4c6a21735a1656e4a3122	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C76EE971-051A-11EF-9001-CA5596DD87F4} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cff09d2799da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000069baa9169a08688f476fb443c329bdd97924491cfb09d61693146d6185ef6b8a000000000e8000000002000020000000db358047c8c8ebb1953cc2cce46fffe7e238b971277f37ccf45ece8b3b20858020000000227ef53d4ab7755623fb836ea44e9f52fcea5955893ca71cd0b37645c6dc02b040000000db748aaa3a4700e5bfdfbfad6e4d5d47c624a597b712f458651ff74674a4eb98900dfa2f7056eeb61358baa614265dc97e3901db41ff5a5a1f0e3bcb22d5adc3	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420441672"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.exe

pid process

2320 IEXPLORE.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.exeIEXPLORE.EXE

pid process

2320 IEXPLORE.exe
2320 IEXPLORE.exe
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE
2532 IEXPLORE.EXE

pid	process
2320	IEXPLORE.exe

pid	process
2320	IEXPLORE.exe
2320	IEXPLORE.exe
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

046919029770f1e6f8df03e428865948_JaffaCakes118.exeIEXPLORE.exe

description	pid	process	target process
PID 2908 wrote to memory of 2320	2908	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 2908 wrote to memory of 2320	2908	046919029770f1e6f8df03e428865948_JaffaCakes118.exe	IEXPLORE.exe
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE
PID 2320 wrote to memory of 2532	2320	IEXPLORE.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\046919029770f1e6f8df03e428865948_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\046919029770f1e6f8df03e428865948_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Program Files\Internet Explorer\IEXPLORE.exe
"C:\Program Files\Internet Explorer\IEXPLORE" 212.33.237.86/images/1/report.php
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2320 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe
Filesize
25.7MB

MD5
ee74883a42ee6661a7a3c981fa561664

SHA1
9746d9249823f80ffe9cf855e376015be9a19037

SHA256
aa68fe10a062f9660b675a0aaa22cda8578a6d9a45693c6b7027fc0246ce02da

SHA512
46a8c5613c7f6752a19c97d7e187d9531d7e59251f1f22b851eaf12e2127b1371909babb77cbc629b00e53a6509c26adb23f47e81f99bc2518aabec33a8ee8dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c2a11568dcf627ebaeaea6bb2310d4fd

SHA1
3037d895fef6c7d9d6819a510f1c909ec5fa2ad9

SHA256
bfb8d0b312120c1154b6fe3124ea772f2b0087f0dd97fe612c8dd4adaf60eeee

SHA512
f901a69b0596d840aff01bcb096ad1cfbc10359f5325cb6ee2a05d8673eec741452b94e431f32995ff3b170d03b71c1f03c4fcecba95e13043b133b023cb75cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9998c1f82b7e12cf141240eb6d42957c

SHA1
87d9816fc9e4576c4eb8e2ee36baea617b61289d

SHA256
80a418e9a6f035c6d567e5b80d28f9e82529d06acef49bc3670f8dd87c443dee

SHA512
ed0e679cc2307343b3e7bb2f35d7b3a318fa0719a2de887473d76765f5358b6fab1fff5ed5422df0101e8fe1fdbd71ed078b40f233726f684692e3cc5de8c6a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ff27970884bd76352b49ce48970d6a24

SHA1
4c3ba08aed4371787edab55b5946f6eec3e4fbe3

SHA256
d1bab3c96fee34378d6c5dd661ef85e07391f9c1ecc78f21ddf46f469ad6bec6

SHA512
948c3b08105137e59ba7d8033c0e759351f0eb53e1cd663e42c7d127e8fc0eb4c78a64c73feb905f4e5a5921a9f0e95fddcf315fc477218d378eeb28e145579a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a460023bec39b227199e3378ae012745

SHA1
d1ab62c4e28e0ab748e28a98529d132a5f93d5e0

SHA256
4e9036f8e343d77a7e2b01c160dc9b44b3212d75808c7dd73c19c05aa23bb183

SHA512
6278d873ea8834ee8d2afbe694bf634f63dc925f4ba07d7966e6fa8e72ff5af5536b6ae23acde5ef286ba5e9cbc0e489f3515c4e494c0fd2a506924d1193cfde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f7e56a30af6e128b1a709885ff95e656

SHA1
0075c12028e44de8c93f946122f83e5216da17c9

SHA256
567c64799b45e80cfe54edbbd0c7f24351f7d1a5dae2339a340f7612cf41c1aa

SHA512
001e5233c9e50284284ff0c8219c57b31983a9d22a0d1901214d925529d47bf214aba7cb5b58a362e882289d6cd658ca035da0f8ed7ca5a12ffc524d9949b211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
123d4458757c82dc981f8b8ff28ff982

SHA1
8f4df543546b72d81f739b6e16214789ede903db

SHA256
24e48f47bd4887c3cd413c696dbab3f943f0579beb3ae2956be5e3a38d83f5a3

SHA512
a843dfeb81496b3a8ded7fc4f02690bd4e32771767bec6f7a4de56f295defc06ecaa6dbd6a57f53577beeaae994ea0794210f5d1326eb805d3f29bda8c26a11d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d595a5f88b787614a73c5a402bc731c9

SHA1
471b2c53ec7e2a5ef38cd90b96cd85b5d98b18ca

SHA256
c2b6a8ec0e70e8a004b550d0f64a4a28460fa214c11c0462d32393b1c855285d

SHA512
1afa414fab80515353310a07f118cbdea5c6e8e4952c8776a27e33110346e16ecd6c39d1b815355aa9533d1dedeb24af1080126d52ed9fbe2baa35527418f995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
20cb80aef805eb1b64786f52501e6756

SHA1
8fee80f32b2163578532953b4be3dee58d3fa717

SHA256
57d8c8e50016b5b0bd6fd486c27cdb029c76cc9681c4e13f23d3988b058a2866

SHA512
3d6407ff58f6f9aca373c5275e7964e8fc12a81f03881d59b956946ef4304b2b3c50952fcf66a2eb3d32fc8c2701ededb649c023f465ab8a4e383a2a4f5ed92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
833e7378a63fff210467ab349fb00341

SHA1
7fcd95e55720383fc0be61c58a33385f99f7febb

SHA256
87e3e47f3bd3111cb72f108cfabfa80f69feddcdbf09c26929c7f8181e2684e0

SHA512
7a7d5066c3abd7dca4513743e17058a62ff3541cf75ea9146748b5a00d788cdc2af6a659bdebecbf5c279e1ba50c8c729c83aa25cdcaf130fbab0df7cf50e581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
23870486e9deff3578fcc82b72553d65

SHA1
50de387a2a99195289ab6e2b6cb8fd3fb96d07ef

SHA256
d55e0285129b2805acb068ed470bf27969d4296037569b0716ea018b0e4f25fe

SHA512
5f4d2f82e4734f312c98a662ef1b89c45556836a513adb1949d44e04781a4e4de74da4bd67bd5163360d9946e45767c361873d059c69e1fabc36e58247cd4380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
55aa45965f330fc3564f8b91ce55d4ef

SHA1
b61bf46cb5c36ea7dfb39ef463a3c99b359c19fe

SHA256
0a6cfd9fb9601b78083855c18d0900f5b8ebfcfcfec4a416d9e87410c8e5811e

SHA512
569e530b652d340b725725295b583597b7a9856e4d5822c26665d83117a4eefbd5cda4baaf3bec8873b6b30e5fadb9ae139120730922094cc891e26428fe62fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d0e753176b19d1be1208e9c2fee90558

SHA1
ac6d4b4f42fceb8bf8c96dc114f1b6e8af453512

SHA256
5accf05f6db4af894fb30234d21252d2b2a81a78062b93fe0c0c353af72d9a8f

SHA512
dc135e52bc374c277ba8fded21ed7a968a8a90c5193f526c8627ec5cf8e81336821d504c7ec307bf91f6c92b5870c69a3eb983eda58d4efb032a2f0554238b17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46eb2b2746414befe6bb40e0d5d7c7c0

SHA1
e224dc9f8d2da8c261ccf614a691dc7a8722388e

SHA256
f3d6071a91d60de8ec0fcbf65fe6b51d31b1a8c494ceebcb842155dc45e1788d

SHA512
13d9c270c386cd55850789b63b5868d7fa185e1937b72caf0eed3276a8723c95b69275db6842ce787b6e3c7c8c6c11910894dc12fa1c8bc552c8ee48acea4017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
771f1bfec2d8a00d43f8e2ec2c28443b

SHA1
50389ff3b9651a91197bcaaafc2ce02b354ce1ab

SHA256
c6a026a2a70658e8a4ca364eb86f53d1cde888744758aeda1c2cd056b5b80408

SHA512
3c325327990a79160f3f5710488ec04c87d170c76b0e9416044974a2cc36cf8077e9fa9f074445cc5e2cc4c8671cbc8d7bbeae3e5622fe0cf9bcc937f6e0af21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
db94490ef75f4905aef927cab5ebd80c

SHA1
d4e7a13a2bc3ecb190a0e49356ad52403c6ddfb4

SHA256
da1c7b6e0a3adf4fed501aa2202d05e5afd1b76e464b62260b488f5f51a7fd7e

SHA512
e7f2aea1b15dfd82702ca5da86ffa6f28e6ef94893e1dab26c9dc54a83d9e5e8078b48b157c5cd54c919d71fd556de566e1d2e443e8f8b6795b6ada786770eae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b4d217bb5419e04180121a616b4090b

SHA1
2ab637e7f82adaf84d6e83a1a242087623609ab9

SHA256
c2cab5bb7ae143aad7097c37447a03d6ff1a9de6adb7219b684cf3dcb47c7323

SHA512
f306de588af78eaa93009c8a0220fec144eaf540cae3422f73e22b1f5a63e571adb4944cc6c7df6d13a485487b3b75c51aa1a7a3a0c8aea55c9d2fe0f512c55f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c7bf7b8d4d7156d39125981f63ccfaf6

SHA1
a6e55bb5736e5b1963bd3c9ccdec859146c56975

SHA256
6cf943327406294500a65a60ea148aee8b1d56759d87b606135653590c1674eb

SHA512
2f4a4944ce1b12a04ebba4a8b42ffd980c0cf2376673aa4d95d7f9a4b02f73d2bc98a78a285884fae5ed51a95e69f347324899c3b5208cd53fd6f6c6280742c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b945ed69e988b57b48e0274976bdfd8a

SHA1
ec4c10a3d0c65e9ca79941c3ab3c56c0d6a7f367

SHA256
cf8f3d178ff426d1f568fb4d594403d76160476a177a5e330de03f4146e923e1

SHA512
f848bd51a5d33493676b5cb3463c3b7461027c5c3bc8f4593c4648cbd1168a5e860af94059b92ef7b131fb967e055de2dc94b49873b7445fcca3fbbaa4d9a5ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1363f29f0b7878b9f607b124216d72f0

SHA1
134d6a6dda935700cae0479d81e8a920321da4fe

SHA256
65ec58c5e5084fd784c6695e679e72cc983e084d0bf79183964b2a4f1ee1a136

SHA512
22a1e6995f16327910416c87cb5d99a97c02b02f0260cd39c1dd54ffc43d9fc9e7e46e0c2e6ca41c206a7ef41b42536a14264b1c1dab6f358bc9036321436a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab429F.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar447A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit